Multiple SQL Injection vulnerability in OpenEMR project
Vulnerable function in file: /openemr/interface/forms/eye_mag/save.php
Conditions : any authorized user
Vulnerable versions: <5.0.2, Fixed in 5.0.2 version.
There are two functions:
- "store_PDF", with non filtered variable "encounter",
- "canvas", with non two filtered variable "encounter" and "zone".
Both functions use this variables in DELETE
sql query without any filtration. Both variables controlled by attacker.
Error messages contains code of SQL queries and SQL error message. It can be used for exploit error-based
type of SQL Injection.
Disclosure of VERY sensitive information, since this software used in medical sphere.
P.S. Special thanks to Brady G. Miller from OpenEMR team for fast response and patches